Audit Environment (print ref: Part 3, Section 3.2)
Once the Opening Meeting has taken place, the main activity of the Compliance Audit can begin. However, it is very important at this stage to make sure that each component of the Compliance Audit takes place in the most suitable environment and with the most appropriate members of the organisation's staff.
Functional or Vertical Audit
This involves checking the operation of the Data Protection System within a particular area, function or department, and the Functional Audit Checklists of Annexes F, G and H will form the basis for this component of the Compliance Audit. It should be possible to work through a lot of these checklists in a conference room environment that could be where the Opening Meeting was held, the Audit Base Room itself, or somewhere similar.
It is also highly probable that the organisation's Data Protection Manager/Officer will be the best person to answer these questions, although other senior staff might need to be brought in to answer specific questions. There are, however, two important factors to consider at this stage:
- A conference room environment may be ideal for clarifying the details of the Data Protection System but will be inadequate for checking that it is actually being used in practice and that it is effective. These last two aspects of the Data Protection System can only be assessed adequately in situ by questioning the operational staff who actually perform the work.
- It is highly likely that any documentation that is brought into the conference room to answer a specific question will have been carefully selected beforehand as the best example. Auditors should always ask to be shown where the documents are kept and try and select their own samples.
Tips on conducting the Functional or Vertical Audit.
Return to top
|
